06-05-2012 02:29 PM - edited 03-07-2019 07:05 AM
Hi everybody.
host h1 and host h2 are in same vlan say vlan 5. We must use Vlan access list to stop any communication between h1 and h2 ,considering the fact source h1 , and destination h2 , both are located off different switches.
h1---------sw1-trunk----sw2---trunk--sw3----h2
h1 199.199.199.1
h2 199.199.199.2
============================================
vlan acceslist requires vlan access-map be configured. Vlan access -map consists of match and action statement.
Consider the following statement/command
Switch( config-access-map) action { drop| forward[capture] | redirect TYPE MOD/NUM }
How does the option " capture" work?
thanks and have a nice week
Solved! Go to Solution.
06-05-2012 02:46 PM
Hi Sarah,
Are you looking at on older version of IOS? From a 3750 running 12.2(52), I only see drop and forward. Have a look:
Switch(config-access-map)#action ?
drop Drop packets
forward Forward packets
Switch(config-access-map)#action
HTH
06-05-2012 03:14 PM
I see the redirect option on my 6509
6509(config-access-map)#action ?
drop Drop packets
forward Forward packets
redirect Redirect packets
06-05-2012 03:19 PM
s72033-advipservicesk9_wan-mz.122-33.SXJ2.bin
seems like by using redirect we can send traffic to different physcial interfaces based on matching criteria but I don't see capture option in my output.
Below link gives an example for capture option.
Can use VACL to capture certain traffic (based on access-list matching criteria) and forward that to IDS or IPS for monitoring
http://voices.yahoo.com/overcoming-limitations-cisco-span-vacls-4896488.html
06-05-2012 03:28 PM
Thanks,
So, looking at this link, it appears that both capture and redirect were part of an older IOS version and now the capture is removed and redirect is still there.
06-05-2012 05:42 PM
Hi Sarah,
The filtering is based on the IP address of the host, so they could be in different switches. One other way to do this is by using private vlans and putting hosts in isolated mode, so they can't communicate with each other.
Here is a link for reference:
http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a008017acad.shtml
Thanks,
Reza
06-05-2012 02:46 PM
Hi Sarah,
Are you looking at on older version of IOS? From a 3750 running 12.2(52), I only see drop and forward. Have a look:
Switch(config-access-map)#action ?
drop Drop packets
forward Forward packets
Switch(config-access-map)#action
HTH
06-05-2012 03:14 PM
I see the redirect option on my 6509
6509(config-access-map)#action ?
drop Drop packets
forward Forward packets
redirect Redirect packets
06-05-2012 03:17 PM
what ver of IOS are you running?
06-05-2012 03:19 PM
s72033-advipservicesk9_wan-mz.122-33.SXJ2.bin
seems like by using redirect we can send traffic to different physcial interfaces based on matching criteria but I don't see capture option in my output.
Below link gives an example for capture option.
Can use VACL to capture certain traffic (based on access-list matching criteria) and forward that to IDS or IPS for monitoring
http://voices.yahoo.com/overcoming-limitations-cisco-span-vacls-4896488.html
06-05-2012 03:28 PM
Thanks,
So, looking at this link, it appears that both capture and redirect were part of an older IOS version and now the capture is removed and redirect is still there.
06-05-2012 04:04 PM
Thanks Reza and siddhartham
If we have to block communication between two hosts in the same vlan using vlan access list, should they be located off same switch or they could be located off different switches ?
thanks
06-05-2012 05:42 PM
Hi Sarah,
The filtering is based on the IP address of the host, so they could be in different switches. One other way to do this is by using private vlans and putting hosts in isolated mode, so they can't communicate with each other.
Here is a link for reference:
http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a008017acad.shtml
Thanks,
Reza
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide